News

Video Surveillance DVRs Exposed by Hard Coded Password

The security of devices that are internet accessible has become more and more critical in recent years. Recently cheap unsecured webcams have come under fire after many such devices were exposed by the Shodan search engine. Now as many as 46000 users of digital video recorders (DVRs) manufactured by Zhuhai RaySharp Technology may actually be making their property less secure, with it coming to light that the Chinese manufacturer has been using hard-coded unchangeable passwords for the highest user privileges in their software.

The vulnerability was discovered by security researchers from vulnerability intelligence firm Risk Based Security (RBS), who examined the software that the DVRs’ interface runs on. RaySharp’s DVR products have a web interface through which a user can view the camera feeds, manage settings and recordings and operate any pan or zoom features on the cameras. These web interfaces all run on a Linux OS based firmware, which on examination of the CGI scripts that manage the user authentication of the web interface a routine was found that checks to ensure the user-supplied username is “root” and the password is “519070”. Using these credentials to log into the web interface would provide full system access.

Using hard-coded passwords for small-scale systems used to be an accepted practice, where physical access to the system would generally be required regardless. Such things are now considered to be unacceptable by most, with many vendors developing secure systems and working to ensure vulnerabilities that do pop up are patched. That RaySharp still use hard-coded root passwords would be bad enough, but the Chinese firm also manufacture DVR products and provide firmware for a number of other companies worldwide with RBS researchers finding that at least some of the DVR products from König, Swann Communications, COP-USA, KGUARD Security, Defender and LOREX Technology, contain the same hard-coded root password. Another CGI script found in RaySharp firmware listed 55 vendors that apparently use the same firmware, so the impact could be much greater.

For those in possession of a DVR system from Raysharp or one of the other affected firms, RBS researchers chose to release information on the vulnerability, so that they can check for themselves whether their system possesses the issue. They recommend that any DVR that uses the username and password combination of root and 519070 should not be accessible on the internet and if access is required, it should be done by first logging into a VPN.

With the recent revelation that many webcams had been unwittingly exposed publicly online, it is likely that the same may occur for these DVRs. Hopefully, those with vulnerable DVR systems will discover the issue and take precautionary steps to avoid unwittingly sabotaging their own efforts to make their property or possessions safer.

Alexander Neil

Disqus Comments Loading...

Recent Posts

Helldivers II Adds Killzone 2 Collaboration

Despite Helldivers II's popularity, fans have long felt the game lacked collaborations. Nearly a year…

18 mins ago

Call of Duty: Black Ops 6 Anti-Cheat System Didn’t Perform Well, TeamRICOCHET Admits

The anti-cheat system in Call of Duty: Black Ops 6 and Warzone has not met…

33 mins ago

NVIDIA’s New App Causes Game Slowdowns: Here’s How to Fix

The NVIDIA app, which recently replaced GeForce Experience, has gained popularity for its revamped interface…

41 mins ago

AMD May Launch Ryzen 5 9600 Non-X Variant in Late January 2025

AMD is gearing up to expand its CPU lineup in early 2025, with recent leaks…

48 mins ago

AMD Ryzen AI 7 350 from Upcoming Kraken Point Series Spotted on PassMark

Following the leak of AMD's flagship laptop CPU, another processor from the AMD Kraken Point…

1 hour ago

DeepCool Launches ASSASSIN IV VC VISION CPU Cooler

DeepCool has just announced the ASSASSIN IV VC VISION CPU cooler, the latest in its…

5 hours ago